Problem
The Jira ticket detection in kosli attest jira extracts false-positive references when a commit message contains a CVE identifier. The leading CVE-YYYY segment matches the PROJECT-NUMBER pattern even though more digits follow.
Example
Commit message:
Pull request #41: AGENT-459: Pin tomcat-embed to 11.0.22 for CVE-2026-41284 / -42498 / -43514
Detected references:
AGENT-459 (correct)CVE-2026 (false positive, from CVE-2026-41284)
Expected Behavior
The regex should only match a PROJECT-NUMBER token when it is not immediately followed by another -NUMBER segment (i.e. require a word boundary or non -digit character after the number). With that change, CVE-2026-41284 would not be matched as a Jira ticket.
Current Behavior
The pattern matches CVE-2026 as a Jira ticket, polluting the attestation with a non-existent reference.
Suggested Approach
- Update the Jira ticket regex to assert a non-
-digit boundary after the numeric portion (e.g. \b[A-Z][A-Z0-9]+-\d+\b(?!-\d)).
- Add unit tests covering CVE-like strings (
CVE-2026-41284, CWE-79, RFC-1234) and valid Jira references adjacent to them.
Problem
The Jira ticket detection in
kosli attest jiraextracts false-positive references when a commit message contains a CVE identifier. The leadingCVE-YYYYsegment matches thePROJECT-NUMBERpattern even though more digits follow.Example
Commit message:
Detected references:
AGENT-459(correct)CVE-2026(false positive, fromCVE-2026-41284)Expected Behavior
The regex should only match a
PROJECT-NUMBERtoken when it is not immediately followed by another-NUMBERsegment (i.e. require a word boundary or non-digitcharacter after the number). With that change,CVE-2026-41284would not be matched as a Jira ticket.Current Behavior
The pattern matches
CVE-2026as a Jira ticket, polluting the attestation with a non-existent reference.Suggested Approach
-digitboundary after the numeric portion (e.g.\b[A-Z][A-Z0-9]+-\d+\b(?!-\d)).CVE-2026-41284,CWE-79,RFC-1234) and valid Jira references adjacent to them.